<?xml version="1.0" encoding="iso-8859-1" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content=
    "application/xhtml+xml; charset=iso-8859-1" />
    <title>
      Shadow-4.8.1
    </title>
    <link rel="stylesheet" type="text/css" href="../stylesheets/lfs.css" />
    <meta name="generator" content="DocBook XSL Stylesheets V1.79.1" />
    <link rel="stylesheet" href="../stylesheets/lfs-print.css" type=
    "text/css" media="print" />
  </head>
  <body class="blfs" id="blfs-9.1">
    <div class="navheader">
      <h4>
        Beyond Linux<sup>�</sup> From Scratch <span class="phrase">(System
        V</span> Edition) - Version 9.1
      </h4>
      <h3>
        Chapter&nbsp;4.&nbsp;Security
      </h3>
      <ul>
        <li class="prev">
          <a accesskey="p" href="polkit.html" title="Polkit-0.116">Prev</a>
          <p>
            Polkit-0.116
          </p>
        </li>
        <li class="next">
          <a accesskey="n" href="ssh-askpass.html" title=
          "ssh-askpass-8.2p1">Next</a>
          <p>
            ssh-askpass-8.2p1
          </p>
        </li>
        <li class="up">
          <a accesskey="u" href="security.html" title=
          "Chapter&nbsp;4.&nbsp;Security">Up</a>
        </li>
        <li class="home">
          <a accesskey="h" href="../index.html" title=
          "Beyond Linux� From Scratch     (System V Edition) - Version 9.1">Home</a>
        </li>
      </ul>
    </div>
    <div class="sect1" lang="en" xml:lang="en">
      <h1 class="sect1">
        <a id="shadow" name="shadow"></a>Shadow-4.8.1
      </h1>
      <div class="package" lang="en" xml:lang="en">
        <h2 class="sect2">
          Introduction to Shadow
        </h2>
        <p>
          <span class="application">Shadow</span> was indeed installed in LFS
          and there is no reason to reinstall it unless you installed
          <span class="application">CrackLib</span> or <span class=
          "application">Linux-PAM</span> after your LFS system was completed.
          If you have installed <span class="application">CrackLib</span>
          after LFS, then reinstalling <span class=
          "application">Shadow</span> will enable strong password support. If
          you have installed <span class="application">Linux-PAM</span>,
          reinstalling <span class="application">Shadow</span> will allow
          programs such as <span class=
          "command"><strong>login</strong></span> and <span class=
          "command"><strong>su</strong></span> to utilize PAM.
        </p>
        <p>
          This package is known to build and work properly using an LFS-9.1
          platform.
        </p>
        <h3>
          Package Information
        </h3>
        <div class="itemizedlist">
          <ul class="compact">
            <li class="listitem">
              <p>
                Download (HTTP): <a class="ulink" href=
                "https://github.com/shadow-maint/shadow/releases/download/4.8.1/shadow-4.8.1.tar.xz">
                https://github.com/shadow-maint/shadow/releases/download/4.8.1/shadow-4.8.1.tar.xz</a>
              </p>
            </li>
            <li class="listitem">
              <p>
                Download MD5 sum: 4b05eff8a427cf50e615bda324b5bc45
              </p>
            </li>
            <li class="listitem">
              <p>
                Download size: 1.5 MB
              </p>
            </li>
            <li class="listitem">
              <p>
                Estimated disk space required: 33 MB
              </p>
            </li>
            <li class="listitem">
              <p>
                Estimated build time: 0.2 SBU
              </p>
            </li>
          </ul>
        </div>
        <h3>
          Shadow Dependencies
        </h3>
        <h4>
          Required
        </h4>
        <p class="required">
          <a class="xref" href="linux-pam.html" title=
          "Linux-PAM-1.3.1">Linux-PAM-1.3.1</a> or <a class="xref" href=
          "cracklib.html" title="CrackLib-2.9.7">CrackLib-2.9.7</a>
        </p>
        <p class="usernotes">
          User Notes: <a class="ulink" href=
          "http://wiki.linuxfromscratch.org/blfs/wiki/shadow">http://wiki.linuxfromscratch.org/blfs/wiki/shadow</a>
        </p>
      </div>
      <div class="installation" lang="en" xml:lang="en">
        <h2 class="sect2">
          Installation of Shadow
        </h2>
        <div class="admon important">
          <img alt="[Important]" src="../images/important.png" />
          <h3>
            Important
          </h3>
          <p>
            The installation commands shown below are for installations where
            <span class="application">Linux-PAM</span> has been installed
            (with or without a <span class="application">CrackLib</span>
            installation) and <span class="application">Shadow</span> is
            being reinstalled to support the <span class=
            "application">Linux-PAM</span> installation.
          </p>
          <p>
            If you are reinstalling <span class="application">Shadow</span>
            to provide strong password support using the <span class=
            "application">CrackLib</span> library without using <span class=
            "application">Linux-PAM</span>, ensure you add the <em class=
            "parameter"><code>--with-libcrack</code></em> parameter to the
            <span class="command"><strong>configure</strong></span> script
            below and also issue the following command:
          </p>
          <pre class="userinput">
<kbd class=
"command">sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</kbd>
</pre>
        </div>
        <p>
          Reinstall <span class="application">Shadow</span> by running the
          following commands:
        </p>
        <pre class="userinput">
<kbd class="command">sed -i 's/groups$(EXEEXT) //' src/Makefile.in &amp;&amp;

find man -name Makefile.in -exec sed -i 's/groups\.1 / /'   {} \; &amp;&amp;
find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; &amp;&amp;
find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \; &amp;&amp;

sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
    -e 's@/var/spool/mail@/var/mail@'                 \
    -i etc/login.defs                                 &amp;&amp;

sed -i 's/1000/999/' etc/useradd                      &amp;&amp;

./configure --sysconfdir=/etc --with-group-name-max-length=32 &amp;&amp;
make</kbd>
</pre>
        <p>
          This package does not come with a test suite.
        </p>
        <p>
          Now, as the <code class="systemitem">root</code> user:
        </p>
        <pre class="root">
<kbd class="command">make install</kbd>
</pre>
      </div>
      <div class="commands" lang="en" xml:lang="en">
        <h2 class="sect2">
          Command Explanations
        </h2>
        <p>
          <span class="command"><strong>sed -i 's/groups$(EXEEXT) //'
          src/Makefile.in</strong></span>: This sed is used to suppress the
          installation of the <span class=
          "command"><strong>groups</strong></span> program as the version
          from the <span class="application">Coreutils</span> package
          installed during LFS is preferred.
        </p>
        <p>
          <span class="command"><strong>find man -name Makefile.in -exec ...
          {} \;</strong></span>: This command is used to suppress the
          installation of the <span class=
          "command"><strong>groups</strong></span> man pages so the existing
          ones installed from the <span class="application">Coreutils</span>
          package are not replaced.
        </p>
        <p>
          <span class="command"><strong>sed -e 's@#ENCRYPT_METHOD
          DES@ENCRYPT_METHOD SHA512@' -e 's@/var/spool/mail@/var/mail@' -i
          etc/login.defs</strong></span>: Instead of using the default 'DES'
          method, this command modifies the installation to use the more
          secure 'SHA512' method of hashing passwords, which also allows
          passwords longer than eight characters. It also changes the
          obsolete <code class="filename">/var/spool/mail</code> location for
          user mailboxes that <span class="application">Shadow</span> uses by
          default to the <code class="filename">/var/mail</code> location.
        </p>
        <p>
          <span class="command"><strong>sed -i 's/1000/999/'
          etc/useradd</strong></span>: Make a minor change to make the
          default useradd consistent with the LFS groups file.
        </p>
        <p>
          <em class=
          "parameter"><code>--with-group-name-max-length=32</code></em>: The
          maximum user name is 32 characters. Make the maximum group name the
          same.
        </p>
      </div>
      <div class="configuration" lang="en" xml:lang="en">
        <h2 class="sect2">
          Configuring Shadow
        </h2>
        <p>
          <span class="application">Shadow</span>'s stock configuration for
          the <span class="command"><strong>useradd</strong></span> utility
          may not be desirable for your installation. One default parameter
          causes <span class="command"><strong>useradd</strong></span> to
          create a mailbox file for any newly created user. <span class=
          "command"><strong>useradd</strong></span> will make the group
          ownership of this file to the <code class="systemitem">mail</code>
          group with 0660 permissions. If you would prefer that these mailbox
          files are not created by <span class=
          "command"><strong>useradd</strong></span>, issue the following
          command as the <code class="systemitem">root</code> user:
        </p>
        <pre class="root">
<kbd class="command">sed -i 's/yes/no/' /etc/default/useradd</kbd>
</pre>
      </div>
      <div class="configuration" lang="en" xml:lang="en">
        <h2 class="sect2">
          Configuring Linux-PAM to Work with Shadow
        </h2>
        <div class="admon note">
          <img alt="[Note]" src="../images/note.png" />
          <h3>
            Note
          </h3>
          <p>
            The rest of this page is devoted to configuring <span class=
            "application">Shadow</span> to work properly with <span class=
            "application">Linux-PAM</span>. If you do not have <span class=
            "application">Linux-PAM</span> installed, and you reinstalled
            <span class="application">Shadow</span> to support strong
            passwords via the <span class="application">CrackLib</span>
            library, no further configuration is required.
          </p>
        </div>
        <div class="sect3" lang="en" xml:lang="en">
          <h3 class="sect3">
            <a id="pam.d" name="pam.d"></a>
          </h3>
          <h4 class="title">
            <a id="pam.d" name="pam.d"></a>Config Files
          </h4>
          <p>
            <code class="filename">/etc/pam.d/*</code> or alternatively
            <code class="filename">/etc/pam.conf</code>, <code class=
            "filename">/etc/login.defs</code> and <code class=
            "filename">/etc/security/*</code>
          </p>
        </div>
        <div class="sect3" lang="en" xml:lang="en">
          <h3 class="sect3"></h3>
          <h4 class="title">
            <a id="idm45779283753152" name=
            "idm45779283753152"></a>Configuration Information
          </h4>
          <p>
            Configuring your system to use <span class=
            "application">Linux-PAM</span> can be a complex task. The
            information below will provide a basic setup so that <span class=
            "application">Shadow</span>'s login and password functionality
            will work effectively with <span class=
            "application">Linux-PAM</span>. Review the information and links
            on the <a class="xref" href="linux-pam.html" title=
            "Linux-PAM-1.3.1">Linux-PAM-1.3.1</a> page for further
            configuration information. For information specific to
            integrating <span class="application">Shadow</span>, <span class=
            "application">Linux-PAM</span> and <span class=
            "application">CrackLib</span>, you can visit the following link:
          </p>
          <div class="itemizedlist">
            <ul class="compact">
              <li class="listitem">
                <p>
                  <a class="ulink" href=
                  "http://www.deer-run.com/~hal/linux_passwords_pam.html">http://www.deer-run.com/~hal/linux_passwords_pam.html</a>
                </p>
              </li>
            </ul>
          </div>
          <div class="sect4">
            <div class="titlepage">
              <div>
                <div>
                  <h5 class="title">
                    <a id="pam-login-defs" name=
                    "pam-login-defs"></a>Configuring /etc/login.defs
                  </h5>
                </div>
              </div>
            </div>
            <p>
              The <span class="command"><strong>login</strong></span> program
              currently performs many functions which <span class=
              "application">Linux-PAM</span> modules should now handle. The
              following <span class="command"><strong>sed</strong></span>
              command will comment out the appropriate lines in <code class=
              "filename">/etc/login.defs</code>, and stop <span class=
              "command"><strong>login</strong></span> from performing these
              functions (a backup file named <code class=
              "filename">/etc/login.defs.orig</code> is also created to
              preserve the original file's contents). Issue the following
              commands as the <code class="systemitem">root</code> user:
            </p>
            <pre class="root">
<kbd class=
"command">install -v -m644 /etc/login.defs /etc/login.defs.orig &amp;&amp;
for FUNCTION in FAIL_DELAY               \
                FAILLOG_ENAB             \
                LASTLOG_ENAB             \
                MAIL_CHECK_ENAB          \
                OBSCURE_CHECKS_ENAB      \
                PORTTIME_CHECKS_ENAB     \
                QUOTAS_ENAB              \
                CONSOLE MOTD_FILE        \
                FTMP_FILE NOLOGINS_FILE  \
                ENV_HZ PASS_MIN_LEN      \
                SU_WHEEL_ONLY            \
                CRACKLIB_DICTPATH        \
                PASS_CHANGE_TRIES        \
                PASS_ALWAYS_WARN         \
                CHFN_AUTH ENCRYPT_METHOD \
                ENVIRON_FILE
do
    sed -i "s/^${FUNCTION}/# &amp;/" /etc/login.defs
done</kbd>
</pre>
          </div>
          <div class="sect4">
            <div class="titlepage">
              <div>
                <div>
                  <h5 class="title">
                    <a id="idm45779283732336" name=
                    "idm45779283732336"></a>Configuring the /etc/pam.d/ Files
                  </h5>
                </div>
              </div>
            </div>
            <p>
              As mentioned previously in the <span class=
              "application">Linux-PAM</span> instructions, <span class=
              "application">Linux-PAM</span> has two supported methods for
              configuration. The commands below assume that you've chosen to
              use a directory based configuration, where each program has its
              own configuration file. You can optionally use a single
              <code class="filename">/etc/pam.conf</code> configuration file
              by using the text from the files below, and supplying the
              program name as an additional first field for each line.
            </p>
            <p>
              As the <code class="systemitem">root</code> user, replace the
              following <span class="application">Linux-PAM</span>
              configuration files in the <code class=
              "filename">/etc/pam.d/</code> directory (or add the contents to
              the <code class="filename">/etc/pam.conf</code> file) using the
              following commands:
            </p>
          </div>
          <div class="sect4">
            <div class="titlepage">
              <div>
                <div>
                  <h5 class="title">
                    <a id="idm45779283724576" name=
                    "idm45779283724576"></a>'login'
                  </h5>
                </div>
              </div>
            </div>
            <pre class="root">
<kbd class="command">cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
<code class="literal"># Begin /etc/pam.d/login

# Set failure delay before next prompt to 3 seconds
auth      optional    pam_faildelay.so  delay=3000000

# Check to make sure that the user is allowed to login
auth      requisite   pam_nologin.so

# Check to make sure that root is allowed to login
# Disabled by default. You will need to create /etc/securetty
# file for this module to function. See man 5 securetty.
#auth      required    pam_securetty.so

# Additional group memberships - disabled by default
#auth      optional    pam_group.so

# include system auth settings
auth      include     system-auth

# check access for the user
account   required    pam_access.so

# include system account settings
account   include     system-account

# Set default environment variables for the user
session   required    pam_env.so

# Set resource limits for the user
session   required    pam_limits.so

# Display date of last login - Disabled by default
#session   optional    pam_lastlog.so

# Display the message of the day - Disabled by default
#session   optional    pam_motd.so

# Check user's mail - Disabled by default
#session   optional    pam_mail.so      standard quiet

# include system session and password settings
session   include     system-session
password  include     system-password

# End /etc/pam.d/login</code>
EOF</kbd>
</pre>
          </div>
          <div class="sect4">
            <div class="titlepage">
              <div>
                <div>
                  <h5 class="title">
                    <a id="idm45779283719040" name=
                    "idm45779283719040"></a>'passwd'
                  </h5>
                </div>
              </div>
            </div>
            <pre class="root">
<kbd class="command">cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
<code class="literal"># Begin /etc/pam.d/passwd

password  include     system-password

# End /etc/pam.d/passwd</code>
EOF</kbd>
</pre>
          </div>
          <div class="sect4">
            <div class="titlepage">
              <div>
                <div>
                  <h5 class="title">
                    <a id="idm45779283716032" name=
                    "idm45779283716032"></a>'su'
                  </h5>
                </div>
              </div>
            </div>
            <pre class="root">
<kbd class="command">cat &gt; /etc/pam.d/su &lt;&lt; "EOF"
<code class="literal"># Begin /etc/pam.d/su

# always allow root
auth      sufficient  pam_rootok.so

# Allow users in the wheel group to execute su without a password
# disabled by default
#auth      sufficient  pam_wheel.so trust use_uid

# include system auth settings
auth      include     system-auth

# limit su to users in the wheel group
auth      required    pam_wheel.so use_uid

# include system account settings
account   include     system-account

# Set default environment variables for the service user
session   required    pam_env.so

# include system session settings
session   include     system-session

# End /etc/pam.d/su</code>
EOF</kbd>
</pre>
          </div>
          <div class="sect4">
            <div class="titlepage">
              <div>
                <div>
                  <h5 class="title">
                    <a id="idm45779283712512" name=
                    "idm45779283712512"></a>'chage'
                  </h5>
                </div>
              </div>
            </div>
            <pre class="root">
<kbd class="command">cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"
<code class="literal"># Begin /etc/pam.d/chage

# always allow root
auth      sufficient  pam_rootok.so

# include system auth, account, and session settings
auth      include     system-auth
account   include     system-account
session   include     system-session

# Always permit for authentication updates
password  required    pam_permit.so

# End /etc/pam.d/chage</code>
EOF</kbd>
</pre>
          </div>
          <div class="sect4">
            <div class="titlepage">
              <div>
                <div>
                  <h5 class="title">
                    <a id="idm45779283709248" name=
                    "idm45779283709248"></a>Other common programs
                  </h5>
                </div>
              </div>
            </div>
            <pre class="root">
<kbd class=
"command">for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
               groupmems groupmod newusers useradd userdel usermod
do
    install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
    sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
done</kbd>
</pre>
            <div class="admon warning">
              <img alt="[Warning]" src="../images/warning.png" />
              <h3>
                Warning
              </h3>
              <p>
                At this point, you should do a simple test to see if
                <span class="application">Shadow</span> is working as
                expected. Open another terminal and log in as a user, then
                <span class="command"><strong>su</strong></span> to
                <code class="systemitem">root</code>. If you do not see any
                errors, then all is well and you should proceed with the rest
                of the configuration. If you did receive errors, stop now and
                double check the above configuration files manually. One
                obvious reason for an error is if the user is not in group
                <code class="systemitem">wheel</code>. You may want to run
                (as <code class="systemitem">root</code>): <span class=
                "command"><strong>usermod -a -G wheel <em class=
                "replaceable"><code>&lt;user&gt;</code></em></strong></span>.
                Any other error is the sign of an error in the above
                procedure. You can also run the test suite from the
                <span class="application">Linux-PAM</span> package to assist
                you in determining the problem. If you cannot find and fix
                the error, you should recompile <span class=
                "application">Shadow</span> adding the <code class=
                "option">--without-libpam</code> switch to the <span class=
                "command"><strong>configure</strong></span> command in the
                above instructions (also move the <code class=
                "filename">/etc/login.defs.orig</code> backup file to
                <code class="filename">/etc/login.defs</code>). If you fail
                to do this and the errors remain, you will be unable to log
                into your system.
              </p>
            </div>
          </div>
          <div class="sect4">
            <div class="titlepage">
              <div>
                <div>
                  <h5 class="title">
                    <a id="pam-access" name="pam-access"></a>Configuring
                    Login Access
                  </h5>
                </div>
              </div>
            </div>
            <p>
              Instead of using the <code class=
              "filename">/etc/login.access</code> file for controlling access
              to the system, <span class="application">Linux-PAM</span> uses
              the <code class="filename">pam_access.so</code> module along
              with the <code class=
              "filename">/etc/security/access.conf</code> file. Rename the
              <code class="filename">/etc/login.access</code> file using the
              following command:
            </p>
            <pre class="root">
<kbd class=
"command">[ -f /etc/login.access ] &amp;&amp; mv -v /etc/login.access{,.NOUSE}</kbd>
</pre>
          </div>
          <div class="sect4">
            <div class="titlepage">
              <div>
                <div>
                  <h5 class="title">
                    <a id="pam-limits" name="pam-limits"></a>Configuring
                    Resource Limits
                  </h5>
                </div>
              </div>
            </div>
            <p>
              Instead of using the <code class="filename">/etc/limits</code>
              file for limiting usage of system resources, <span class=
              "application">Linux-PAM</span> uses the <code class=
              "filename">pam_limits.so</code> module along with the
              <code class="filename">/etc/security/limits.conf</code> file.
              Rename the <code class="filename">/etc/limits</code> file using
              the following command:
            </p>
            <pre class="root">
<kbd class=
"command">[ -f /etc/limits ] &amp;&amp; mv -v /etc/limits{,.NOUSE}</kbd>
</pre>
            <div class="admon caution">
              <img alt="[Caution]" src="../images/caution.png" />
              <h3>
                Caution
              </h3>
              <p>
                Be sure to test the login capabilities of the system before
                logging out. Errors in the configuration can cause a
                permanent lockout requiring a boot from an external source to
                correct the problem.
              </p>
            </div>
          </div>
        </div>
      </div>
      <div class="content" lang="en" xml:lang="en">
        <h2 class="sect2">
          Contents
        </h2>
        <p>
          A list of the installed files, along with their short descriptions
          can be found at <span class="phrase"><a class="ulink" href=
          "../../../../lfs/view/9.1/chapter06/shadow.html#contents-shadow">../../../../lfs/view/9.1/chapter06/shadow.html#contents-shadow</a></span>
          .
        </p>
      </div>
      <p class="updated">
        Last updated on 2020-02-15 08:54:30 -0800
      </p>
    </div>
    <div class="navfooter">
      <ul>
        <li class="prev">
          <a accesskey="p" href="polkit.html" title="Polkit-0.116">Prev</a>
          <p>
            Polkit-0.116
          </p>
        </li>
        <li class="next">
          <a accesskey="n" href="ssh-askpass.html" title=
          "ssh-askpass-8.2p1">Next</a>
          <p>
            ssh-askpass-8.2p1
          </p>
        </li>
        <li class="up">
          <a accesskey="u" href="security.html" title=
          "Chapter&nbsp;4.&nbsp;Security">Up</a>
        </li>
        <li class="home">
          <a accesskey="h" href="../index.html" title=
          "Beyond Linux� From Scratch     (System V Edition) - Version 9.1">Home</a>
        </li>
      </ul>
    </div>
  </body>
</html>
